3

How do I create a user using Microsoft graph? For I am having issues with regards to permission failures during a save.

I do have few questions in mind.

  1. Where will the user be created by calling create user API in graph ? Is it in Azure AD or somewhere else ?

  2. I tried calling create user api by passing json and required headers, below is the error I get

enter image description here

  1. Where exactly do I need to set the permission, I have already added permissions in the Application Registration Portal

enter image description here

But when API is executed it shows that I don't have enough permission.

FYI, I have registered the app using the same email id that I am using to test the APIs here https://developer.microsoft.com/en-us/graph/graph-explorer#

If I am not the admin, where exactly do I need to set or request for it ?

ΩmegaMan
  • 29,542
  • 12
  • 100
  • 122
Darshan S
  • 53
  • 3
  • 9
  • 1
    Remove the Authorization header in graph explorer, it should add it for you if you sign in – juunas Aug 30 '18 at 07:44
  • Do you choose `Directory.ReadWrite.All, Directory.AccessAsUser.All` in the `modify permissions` in the left of the MS graph explorer? Also, as juunas said, if you login in, you dont need to add Authorization in the header. – Joy Wang Aug 30 '18 at 07:56
  • Tried, with header and with out header but no luck, and Yes I have one more doubt here, when I tried to modify permissions and select Directory.ReadWrite.All, Directory.AccessAsUser.All it says **You have selected permissions that only an administrator can grant. To get access, an administrator can grant access to your entire organization.** So, I believe it is something to do with permissions. – Darshan S Aug 30 '18 at 10:42

2 Answers2

7

In order to create a User via Microsoft Graph, you need to request either Directory.ReadWrite.All or Directory.AccessAsUser.All permission.

Important: Directory.ReadWrite.All and Directory.AccessAsUser.All both require Admin Consent before you can use them. If you're using Graph Explorer then the URI you need to provide your tenant Admin will be generated for you. If you're doing this in your own application, you'll need to construct an Admin Consent URI yourself. You can find more details on this at v2 Endpoint & Admin Consent.

Once you have the proper permissions configured (and consented), you'll want to POST the following JSON body/payload to https://graph.microsoft.com/v1.0/users:

{
  "accountEnabled": true,
  "displayName": "displayName-value",
  "mailNickname": "mailNickname-value",
  "userPrincipalName": "upn-value@tenant-name.onmicrosoft.com",
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": true,
    "password": "password-value"
  }
}

This will create a user with a temporary password. The user will be asked to set a new password as after as they authenticate for the first time.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • After assigning the right in the portal I needed to hit "grant admin consent" (or something) before it worked before it worked. – Martin Meeser Nov 13 '21 at 20:37
0

Where will the user be created by calling create user API in graph ? Is it in Azure AD or somewhere else ?

Yes, the user created is in the Azure AD.

I tried calling create user api by passing json and required headers, below is the error I get

For your error, have you added the request body like the following, and this required admin:

enter image description here enter image description here

Where exactly do I need to set the permission, I have already added permissions in the Application Registration Portal

The required permissions to create application:

enter image description here For the details, please read here.

SunnySun
  • 1,900
  • 1
  • 6
  • 8
  • Thanks for the reply, I tried but didn't work. Also I believe since I am not able to set **Directory.ReadWrite.All, Directory.AccessAsUser.Al** permissions by clicking on modify permissions, it says **You have selected permissions that only an administrator can grant. To get access, an administrator can grant access to your entire organization.** So, I believe it is something to do with permissions. – Darshan S Aug 30 '18 at 10:46
  • "to get access, an administrator can grant access to your entire organization." Login with exchange admin account – mirik Feb 14 '20 at 18:28